CVE-2023-33251
https://notcve.org/view.php?id=CVE-2023-33251
When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946. • https://akka.io/security/akka-http-cve-2023-05-15.html •
CVE-2023-31442
https://notcve.org/view.php?id=CVE-2023-31442
In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation is performed, then the poisoning constitutes a denial of access to the intended service. This affects Akka 2.5.14 through 2.8.0, and Akka Discovery through 2.8.0. • https://akka.io/security/akka-async-dns-2023-31442.html https://lightbend.com •
CVE-2021-23339 – HTTP Request Smuggling
https://notcve.org/view.php?id=CVE-2021-23339
This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core. It allows multiple Transfer-Encoding headers. Esto afecta a todas las versiones anteriores a 10.1.14 y desde la versión 10.2.0 a la versión 10.2.4 del paquete com.typesafe.akka:akka-http-core. Este permite múltiples encabezados Transfer-Encoding • https://github.com/akka/akka-http/pull/3754%23issuecomment-779265201 https://snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-1075043 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2018-16131
https://notcve.org/view.php?id=CVE-2018-16131
The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP 10.1.x through 10.1.4 and 10.0.x through 10.0.13 allow remote attackers to cause a denial of service (memory consumption and daemon crash) via a ZIP bomb. Las directivas decodeRequest y decodeRequestWith en Lightbend Akka HTTP, desde las versiones 10.1.x hasta la 10.1.4 y versiones 10.0.x hasta la 10.0.13 permiten que atacantes remotos provoquen una denegación de servicio (consumo de memoria y cierre inesperado del demonio) mediante una bomba ZIP. • https://akka.io/blog/news/2018/08/30/akka-http-dos-vulnerability-found https://doc.akka.io/docs/akka-http/current/security/2018-09-05-denial-of-service-via-decodeRequest.html https://github.com/akka/akka-http/issues/2137 https://groups.google.com/forum/#%21topic/akka-security/Dj7INsYWdjg • CWE-400: Uncontrolled Resource Consumption •
CVE-2018-16115
https://notcve.org/view.php?id=CVE-2018-16115
Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. • https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •